normally, the LDAP groups are sync-ed with Liferay UserGroups, so you could use the Liferay API to check the user's usergroups. Is there any reason to scan specifically for LDAP groups ?
–
yannicuLarJan 25 '13 at 10:24

1 Answer
1

The problem you will have is that LDAP directories are somewhat inconsistent on storing group membership on the user.

eDirectory stores Group Membership on the user (groupMembership in LDAP).
Active Directory in later versions (2008 I think) stores memberOf on the User, sort of.
It is not stored as a static value in AD, but can be read and it is calculated.

Generally the LDAP approach has been to query for:

(&(objectClass=group)(member=cn=MyUser,ou=MyOu,dc=com))

That is, go find me all groups, for whom this user is a member and then check to see if your control group is returned. This is not really efficient. But will work.